CVE-2026-34053HIGH 8.1EPSS p33.0%

CVE-2026-34053CVE-2026-34053

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS0.41% probability of exploitation · percentile 33.0% · 2026-06-19T12:03:05Z
Published2026-03-26
Last modified2026-03-26

Underlying weaknesses· 1

CWE-862

References

  1. https://github.com/openemr/openemr/commit/7a16b731af7d34ffd92155fe2a5692fa1a67858e
  2. https://github.com/openemr/openemr/releases/tag/v8_0_0_3
  3. https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98
  4. https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32126
CVE
CVE-2026-25131
CVE
CVE-2026-33918
CVE
CVE-2026-25164
CVE
CVE-2026-33302
CVE
CVE-2026-32127
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.